All errata/sisyphus/ALT-PU-2016-3308-1
ALT-PU-2016-3308-1

Package update openstack-keystone in branch sisyphus

Version8.1.0-alt1
Task#162066
Published2016-03-28
Max severityHIGH
Severity:

Closed issues (2)

CVE-2015-7546
HIGH7.5

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.

Published: 2016-02-03Modified: 2025-04-12
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
GHSA-8c4w-v65p-jvcv
HIGH8.6

OpenStack Identity Keystone and keystonemiddleware Insufficiently Protected Credentials

Published: 2022-05-13Modified: 2024-09-28
CVSS 3.xHIGH 8.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 8.6
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References